CVE-2026-52782
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability exists in the endpoint /projects/<A>/settings/project_storages/<A_ps_id> via the PATCH parameter "storages_project_storage[project_folder_id]". A project administrator can hijack the managed Nextcloud or OneDrive folder of another project on the same storage, leading to unauthorized resource access.
Risk Assessment
The risk involves a project administrator being able to hijack another project's folder, potentially leading to data leakage or unauthorized access to files stored in external systems (Nextcloud/OneDrive).
Recommendation
Update OpenProject immediately to version 17.3.3 or 17.4.1, which contain the fix for this vulnerability.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.

